This week two serious vulnerabilities were disclosed that affect many modern CPUs [1]. This update is meant to give a security status assessment updated with all information we have collected on this incident, as of Friday the 5th of January 15:30 UTC.

Contentful's server platform is hosted on virtual machines in the Amazon Web Services cloud. We use the "hardware virtualization" option exclusively, which is not vulnerable to Meltdown. In any case AWS have, through a series of actions in the last few days, patched their systems to protect malicious users from leveraging Meltdown gaining access to information from other customers hosted on the same cloud service [2].

Attacks based on Meltdown and Spectre require local access to execute code. Currently Contentful does not provide any option to run custom code so no third-party code can be run on our servers, therefore we believe the risk is mitigated through our existing security practices. In any event, we will install the operating system patches to protect against Meltdown and Spectre which are due to be released in the next few days.